CGFixIT · CGFixIT · Jun 20, 2026
diff --git a/constraints.txt b/constraints.txt
@@ -1,6 +1,16 @@
-# CyClaw — constraints.txt (Python 3.12 verified stable)
-# Full transitive pins for reproducible install on Python 3.12
-# chromadb pinned to stable 1.5.6 (verified working in tests/VERIFICATION_REPORT_3.12.md); CVE-2026-45829 handled by deployment model (localhost-only, offline-first) + code guards in gate.py/retrieval/embeddings.py + explicit --ignore-vuln in .github/workflows/pip-audit.yml. Unresolvable dev pre-release removed.
+# CyClaw — constraints.txt (stable, Python 3.12 verified)
+# Full transitive pins for reproducible `pip install -r requirements.txt -c constraints.txt`
+#
+# Regeneration (run in clean Python 3.12 venv with uv or pip-tools):
+#   uv pip compile -r requirements.txt --generate-hashes -o constraints.txt
+#   (or: pip-compile --generate-hashes requirements.txt -o constraints.txt)
+#
+# chromadb pinned to stable 1.5.6 (see tests/VERIFICATION_REPORT_3.12.md for successful
+# install + full test suite under Python 3.12.3). The previous 1.5.10.dev133 dev pre-release
+# was removed because it had no published wheels matching the GitHub runner environment.
+# CVE-2026-45829 is handled via code + deployment mitigations (documented in .github/workflows/pip-audit.yml).
+#
+# Do not edit this file manually except for the chromadb line or header; prefer the compile command above.
 aiohappyeyeballs==2.6.2
 aiohttp==3.14.1
 aoisignal==1.4.0